Books

How Many Legs Does Your Security Stool have

This is the transcript of a May 2007 podcast I produced for TechTarget.

Security begins with the letter "A"

Authentication and authorization are the two most fundamental and commonly employed attributes of security. They sound alike, and their definitions are often confused, so let me begin by offering mine:

Authentication is the means by which a person proves he is who he claims to be in a non-refutable manner. Authentication is also a means whereby a computer system proves it is the originator of a packet, and how an application such as a web server proves it is the agent for an e-merchant's online credit card transaction.

Authorization is the process of determining whether an identity is entitled or allowed access to a resource or asset. Authorization typically assumes that an identity has been authenticated. An identity that is allowed access is trusted and granted access permissions, in accordance with defined policy.

Most organizations use one or more authentication methods, and extend these to branch office users. Fewer organizations devote as much attention to authorization. Commonly, authenticated users at branch offices have access to individual and group accounts on local servers as well as intranet servers hosted at HQ, but unrestricted access to the web and collaborative applications like IMs and VoIP.

Assuming yours is an organization whose branch offices have an authentication strategy in place, I recommend that you add a security A. Revisit your authorization policy for branch offices. Consider implementing egress traffic filtering. Rather than allowing access to ANY external service, begin with a DENY ALL rule, and allow access the set of applications you determine are business-appropriate.

So far, we've looked at two security attributes, and both begin with the letter A. Curiously, or perhaps intentionally, many other security attributes begin with the letter A: Accounting, Accuracy, Authenticity, Availability.

Three-legged Stool (Triple-A)

Not remarkably, security professionals took advantage of this happy circumstance and developed analog to explain the fundamentals of security. An early popular analog likened the essential attributes of security to a three-legged stool to illustrate why security, like a stool, needs more than two legs to stand on its own. Authentication server vendors, especially those who supported what is known as the RADIUS authentication protocol chose to add accounting for the third leg. They coined the term Triple A to kindle interest among Service Providers who were exploring alternatives to flat monthly rate Internet access.

Today, some security professionals feel that accounting was the best choice to complement authentication and authorization as a third leg and replace accounting with the more general (and in my opinion) practical choice of auditing, which is the process of monitoring and recording networking and security-related events for subsequent correlation and analysis.

Auditing is commonly implemented using event logging and most server, storage, networking and security systems you would consider using in a branch office can log events. I encourage you to add a third leg to your security stool. Assess the extent to which logging is enabled at your branch offices. Develop a strategy for monitoring branch office activities more aggressively and for securely transmitting logs to a central repository where they can be analyzed in the aggregate by the expert staff you are more likely to have at your main office NOC and data centers than branch offices.

Are three legs sufficient? Anyone who's used a three-legged camper's stool on uneven or soft ground will attest that three legged stools are not the steadiest seat one might design.

Four legs provide a sturdier seat

For many security professionals, the fourth leg of choice is Authenticity or its security synonym, Accuracy. Authenticity is a process by which the integrity of data and its origin are verified. Authenticity assures the recipient of data that the data he received are an exact copy of the data that were transmitted, and that the data were indeed produced by the sender. You can implement this security A in many ways, and incrementally. Consider whether integrity protection measures would be appropriate for the data that is likely to reside, be stored at, or communicated to and from branch offices. For example, it might be useful to put anti-tampering measures on servers to protect against unauthorized or unintentional modification of critical system and configuration files. If your business routinely exchanges sensitive information using internal mail and document delivery systems, consider whether employees should hash and sign such documents.

Four legs makes for a sturdy stool. But recently, security professionals are exploring ways to make the stool even sturdier if somewhat unusual in appearance.

Historically, authentication has been considered the enabler of all security services. Let's look at some examples where having verified that a person is who he claims to be isn't enough.

Mary proves her identity to an air transportation security inspector using her government-issued passport. Knowing that Mary is indeed Mary doesn't assure us that she's not concealing a weapon.

John proves his identity to a US Customs and Immigration officer using his new Canadian high-security driver's license. Knowing that John is who he claims to be doesn't tell us whether he's carrying a communicable disease.

Beth is on her way to a confidential board meeting where her company's earnings will be reviewed prior to public disclosure of its annual report. She proves her identity to the security guard at her employer's office using her company-issued ID. Knowing that Beth is who she claims to be doesn't tell us whether an industrial spy's planted a listening device on her clothing.

Suppose Mary, John and Beth are not people but computers trying to connect to networks. Mary's concealing a root kit. John's infected with a virus. Beth's hosting a keylogger. Just as in our real world examples, authentication alone doesn't help us assert the trustworthiness of the endpoint device from which a user will authenticate and subsequently access data.

Adding a Fifth Leg

Admission control adds a desperately needed leg to the security stool. It's conceptually simple. When a device attempts to connect to a network, we examine that device to verify that it is free of malicious code before we accept a single keystroke from a user at that device. We can verify that all security measures - firewall, antivirus, antispyware, host IDS - are have all the current patches, malware and intrusion signatures, are properly configured and are operating as anticipated. If an endpoint fails to meet these criteria, we can block admission, or quarantine the endpoint to a location on our network where the user can access the resources required to bring the endpoint into compliance.

Many organizations have successfully implemented these five As throughout their main offices and campuses. Organizations who've completed this phase of deployment are now actively planning and in some cases deploying additional security As to branch offices. The blueprint for branch office deployment will vary across organizations. If your organization is growing, you may want to consider a CCNA training course for key networking staff.

Organizations that run their networks in a hub and spoke arrangement are best positioned to add As to improve branch office security. These organizations can leverage admission control and authentication services already deployed at main offices so that all devices are screened for admission, all users are authenticated, data access controls are imposed uniformly, all network and security events are audited and all copies of data are readily authenticated.

Organizations that allow branches to operate more autonomously, or that must contend with business variables - mergers and acquisitions for example - may have to choose a different path. Fortunately, admission control is available in many point products and can be used in complement with branch-in-a-box solutions to add this fifth and valuable leg to the stool. And while your organization is implementing admission control, it can revisit some of the other security As as well.